Contents

This document provides a sample configuration for mapping one local IP
address to two or more global IP addresses through policy-based static Network
Address Translation (NAT) on the PIX/Adaptive Security Appliance (ASA) 7.x
software.

The information in this document is based on these software and
hardware versions:

This specific example uses an ASA 5520. However the policy NAT
configurations work on any PIX or ASA appliance that runs
7.x.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

This configuration example has an internal web server at
192.168.100.50, located behind the ASA. The requirement is that the server
needs to be accessible to the outside network interface by its internal IP
address of 192.168.100.50 and its external address of 172.16.171.125. There is
also a security policy requirement that the private IP address of
192.168.100.50 can only be accessed by the 172.16.171.0/24 network.
Additionally, Internet Control Message Protocol (ICMP) and port 80 traffic are
the only protocols allowed inbound to the internal web server. Since there are
two global IP addresses mapped to one local IP address, you need to use policy
NAT. Otherwise, the PIX/ASA rejects the two one-to-one statics with an
overlapping address error.

This section provides information you can use to troubleshoot your
configuration.

If your ping or connection is unsuccessful, attempt to use syslogs to
determine if there are any problems with the translation configuration. On a
lightly used network (such as a lab environment), the logging buffer size is
usually sufficient for troubleshooting the problem. Otherwise, you need to send
the syslogs to an external syslog server. Enable logging to the buffer at level
6 in order to see if the configuration is correct in these syslog
entries.

If you see translation errors in the log, double check your NAT
configurations. If you do not observe any syslogs, use the
capture function on the ASA to attempt to capture
the traffic on the interface. In order to set up a capture, you must first
specify an access-list to match on a specific type of traffic or TCP flow.
Next, you must apply this capture to one or more interfaces in order to start
to capture packets.